drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
irdma_process_aeq() trusts the QP/CQ identifier decoded from the
hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
without first checking that the identifier fits the allocated table.
Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
rf->max_cq before touching the tables. This keeps malformed or stale
hardware event records from walking past the end of the driver-owned
resource arrays.
---
drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
index f4ae530f56db..32d7ac7d3885 100644
--- a/drivers/infiniband/hw/irdma/hw.c
+++ b/drivers/infiniband/hw/irdma/hw.c
@@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
info->iwarp_state, info->ae_src);
if (info->qp) {
+ if (unlikely(info->qp_cq_id >= rf->max_qp)) {
+ ibdev_warn_ratelimited(&iwdev->ibdev,
+ "AEQ reported invalid QP id %u\n",
+ info->qp_cq_id);
+ continue;
+ }
+
spin_lock_irqsave(&rf->qptable_lock, flags);
iwqp = rf->qp_table[info->qp_cq_id];
if (!iwqp) {
@@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
"Processing an iWARP related AE for CQ misc = 0x%04X\n",
info->ae_id);
+ if (unlikely(info->qp_cq_id >= rf->max_cq)) {
+ ibdev_warn_ratelimited(&iwdev->ibdev,
+ "AEQ reported invalid CQ id %u\n",
+ info->qp_cq_id);
+ continue;
+ }
+
spin_lock_irqsave(&rf->cqtable_lock, flags);
iwcq = rf->cq_table[info->qp_cq_id];
if (!iwcq) {
--
2.50.1 (Apple Git-155)On Tue, Mar 24, 2026 at 09:44:59AM +0800, Pengpeng Hou wrote:
> irdma_process_aeq() trusts the QP/CQ identifier decoded from the
> hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
> without first checking that the identifier fits the allocated table.
HW should be programmed to provide valid index.
Thanks
>
> Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
> rf->max_cq before touching the tables. This keeps malformed or stale
> hardware event records from walking past the end of the driver-owned
> resource arrays.
> ---
> drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
> index f4ae530f56db..32d7ac7d3885 100644
> --- a/drivers/infiniband/hw/irdma/hw.c
> +++ b/drivers/infiniband/hw/irdma/hw.c
> @@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
> info->iwarp_state, info->ae_src);
>
> if (info->qp) {
> + if (unlikely(info->qp_cq_id >= rf->max_qp)) {
> + ibdev_warn_ratelimited(&iwdev->ibdev,
> + "AEQ reported invalid QP id %u\n",
> + info->qp_cq_id);
> + continue;
> + }
> +
> spin_lock_irqsave(&rf->qptable_lock, flags);
> iwqp = rf->qp_table[info->qp_cq_id];
> if (!iwqp) {
> @@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
> "Processing an iWARP related AE for CQ misc = 0x%04X\n",
> info->ae_id);
>
> + if (unlikely(info->qp_cq_id >= rf->max_cq)) {
> + ibdev_warn_ratelimited(&iwdev->ibdev,
> + "AEQ reported invalid CQ id %u\n",
> + info->qp_cq_id);
> + continue;
> + }
> +
> spin_lock_irqsave(&rf->cqtable_lock, flags);
> iwcq = rf->cq_table[info->qp_cq_id];
> if (!iwcq) {
> --
> 2.50.1 (Apple Git-155)
>
>
© 2016 - 2026 Red Hat, Inc.